Written by There was a pretty strong market reaction to the news that British Airways’ cybersecurity was bust. Whoever signed off on the web site, must have been regretting cutting the security budget in favour of using celebrities for that annoying safety video when they read that “shares of British Airways’ parent company IAG fell around 4% as markets opened on Friday morning, hours after the airline said the credit card information of at least 380,000 customers had been ‘compromised’ in a data theft”. According to BA, the “compromised” data includes customers’ names, e-mail addresses, billing addresses and payment card information (including CVVs) but not passport details. It subsequently transpired that it was a “Magecart” attack on the scripts running on the BA web site. Hardly surprising, in a way. After all, the book page at BA runs 30 scripts, and remember that many of these are minified scripts spanning thousands of lines of code.
Since I had booked a fair few flights during this period, which included arranging for family members to attend a funeral, I didn’t for one moment doubt that my card details had been hijacked by cyber-criminals. Indeed when I next logged in to check something else I saw a message from BA about something to do with security that I didn’t have time to read because I was in a hurry.
So it all sounds pretty bad.
I don’t really care though.
Here’s why:
First of all, thanks to the government’s nutty ban on card surcharging, I use the most expensive (for BA) payment products possible, which happen to be my American Express cards. Now in my experience, Amex has pretty good anti-fraud software in place and they call me from time to time to check if a transaction is valid. So if cyberrascals try to use my card to buy something I don’t normally buy in a place I don’t normally buy things, they will probably catch it.
Second of all, if they don’t catch it, it is Amex’s money that has been stolen, not mine. Thanks to a combination of consumer protection legislation and Amex terms and conditions, when the transaction shows up on my bill I’ll just call up and cancel it. And if there’s more than a couple of these transactions, I’ll cancel the card and Amex will send me a new one. I’m not going to be out of pocket and it’s not that much hassle.
Third of all, if they don’t catch it and the merchant was not using 3DS secure, then it is the merchant who is out of pocket and not me or Amex. My Amex transactions all pop up on my phone, so if I see something I don’t recognise pop up, then I’ll call Amex to charge it back to whichever merchant was unwise enough to accept the card details.
TL;DR; Not bovvered.
(Incidentally, the last couple of times I’ve attempted to charge things back to Amex, it was for transactions that were actually correct. Due to the ancient ISO 8583 protocol, transactions don’t carry enough information for consumers to recognise them. So when I see a charge of £35 to “BA.COM” with no explanation of what it’s for, I of course automatically click on it for more details only there are no more details, so I charge it back only to discover it was for a change to a family member’s flight that I’d completely forgotten about. But I digress.)
The general problem here is of course that nobody should be typing payment card details into a web site any more and no-one else should be sending them anywhere in 2018. When I click to pay on the British Airways web site, relevant details should pop up on my mobile phone (in this case, in my British Airways app) so that I can then pay with ApplePay. This, as you know, provides a token to pass to the acquirer not the actual card number. So it doesn’t matter if it is stolen.
(As to why British Airways should handle payment details at all, well that’s a story for another day. In a rational world, British Airways would send a digitally-signed invoice to my chosen payment providers – let’s say, for example, my bank – who can then contact me for authorisation, generally by authenticating through a mobile phone app, and return a digitally-signed receipt to British Airways who can then issue the ticket.)
This sort of breach of card data may not be around for much longer though. Earlier in the year Deutsche Bank announced a pilot project with the International Air Transport Association (IATA), the trade association for the world’s airlines, to test a new payment model using account-to-account payments enabled by PSD2. I’m sure my BA app will sprout a new button to pay directly from my bank account (in return for double Avios or whatever) fairly soon and the very notion of storing payment card details to pay for travel will seen almost quaint.
But these are just the sort of problems we help clients figure out. Consult Hyperion does pretty interesting stuff, for pretty interesting people. Securing electronic transactions is in our DNA.
